"Mark Zuckerberg Facebook fan page hack: who was behind it?"
http://www.guardian.co.uk/technology...rk-zuckerberg-
facebook-fan-hack-investigation
" ... Let's follow up some of the trail left in the Mark Zuckerberg
Facebook fan page hacking incident.
The only – and best clue – is the link left by the hacker in the status
update posted on Zuckerberg's wall, which reads "Let the hacking begin:
if facebook needs money, instead of going to the banks, why doesn't
Facebook let its user invest in Facebook in a social way? Why not
transform Facebook into a 'social business' the way Nobel Price [sic]
winner Muhammad Yunus described it?
http://bit.ly/f26rT3 What do you
think? #hackercup2011"
That contains a bit.ly link. Well, you can find out what the original
URL is by adding a plus on the end, so:
http://bit.ly/fs6rT3+ From
which we can see that about 17,000 people clicked the link. Not bad
(though we have to say that Julian Assange gets more clicks when he
appears on the Guardian ... but we digress).
The original, shortened link was actually:
http://en.wikipedia.org/wiki/
Social_business?
h=d044aeb71f4e466a552708fc6e3863ef&thanksforthecup =https://
http://www.facebook.com/photo.php%3F...6636768%26fbid
%3D170535036312026
Let's begin with the second part of the long link – the part that
starts "thanksforthecup": it's URL-encoded (so "%3D" actually stands
for the character "=", "%26" for "&") and leads to a Facebook photo
page for the Hacker Cup, a competition run by Facebook itself. So the
hacker is saying he thinks he should get the cup. OK, we get it.
Now, back to the first part. If you just click the link, you'll be
taken to Wikipedia's page about social business. But not the latest
version – to a specific version in its edit history. That is, to http://
en.wikipedia.org/wiki/Social_business?
h=d044aeb71f4e466a552708fc6e3863ef – which is not the same, now, as
http://en.wikipedia.org/wiki/Social_business. If you open them in two
tabs, or just open the first in a tab and click on the "Article" link
in the top left, you'll see it. Go back and forth a couple of times and
you might spot the difference. Yes? No? Have a look at this difference
page, then. (And look at how it was before that edit.)
Yup, the difference is the addition in the first sentence. Usually,
that reads:
"A '''social business''' is a non-loss, non-dividend company designed
to address a social objective"
But in the edited (older) version that you get sent to, the phrase
" much like [
http://www.romanstwelve.net www.romanstwelve.net]"
has been added. (The square brackets turn the text into a link going
out to romanstwelve.net). And what does that site do? It offers "total
web consulting" and is based in Pickerington, Ohio.
Crucially, as the picture shows, that edit was only on Wikipedia for
two minutes on Tuesday 25 – between 19.17EST and 19.19EST – indicating
that the hacker must have created the edit with the link and then
deleted it straight afterwards, but kept the link to the version he had
edited. Then he encoded the link for the photo and attached it to the
Wikipedia link, and stuffed the whole lot into bit.ly. Then, having got
the shortened link, he went and updated the status on the fan page. The
timing of the change, and its reversion, indicates that this was the
same person. You don't accidentally link to an old version of a page;
you'd link to the generic version.
In other words, we might be able to find the hacker if we can find out
who changed the Wikipedia page. Unfortunately, it wasn't done by a
registered user. But because of Wikipedia's clever tracking system, you
can see the IP of non-registered users: there it is at the top of the
edit page in the screenshot: 131.74.110.168. You can also see what
articles machines at that IP address have edited – a very mixed bag–-
and also how edits from that IP have been increasingly smacked down by
Wikipedia editors (latest on that page coming from October 2009:
"Please stop your disruptive editing. If you continue to vandalise
Wikipedia, as you did at Lyoto Machida, you will be blocked from
editing."
So who's behind 131.74.110.168? A quick whois query tells you that
it... the US department of defence in Williamsburg.
In other words: this might be someone in the military. Most likely
those edits don't come from one person – they come from all sorts of
people in the Williamsburg location. Or, just as possible, it was
someone who had hacked into the computers there from outside (not as
difficult as you'd hope it would be) and is using them as a proxy to
make the Wikipedia edit, and, quite possibly, hack Zuckerberg's page.
(We've asked Facebook whether Zuckerberg's page was accessed from that
IP, but haven't had an answer yet.)
That's about all the clues we have: a US DOD IP, a transient Wikipedia
page, and a link to a web consulting business. We asked Jeremy Reger,
of Romanstwelve, if he was involved with or knew who was behind the
hacking. His answer is an emphatic no: "Hackers don't link to pages who
then link to pages. I do not have any idea who did the hack." He added:
"I'm sure Facebook would confirm that the IP [address] in the wiki
history in not the same IP that "hacked" the fan page."
That remains to be seen. For now, all we have are the pieces of the
hack. Can anyone add more?
Similar Threads
